Spoofing Caller ID illegal? Bad news for social engineering
`(1) IN GENERAL- It shall be unlawful for any person within the United States, in connection with any telecommunications service or IP-enabled voice service, to cause any caller identification service to transmit misleading or inaccurate caller identification information, unless such transmission is exempted pursuant to paragraph (3)(B).’
You can read the full text about it here: http://thomas.loc.gov/cgi-bin/bdquery/z?d110:s.00704:
During the last couple years I’ve made use of the Telespoof.com’s caller ID spoofing service during telephonic social engineering engagements. Spoofing caller ID is something a motivated attacker will do to look more legitimate. I’ve also seen an occasion where spoofing the caller ID could fool certain PBX systems into direct access into voice mail boxes.
Do I wish it was technologically impossible to spoof caller ID? You bet I do, it would make avoiding political fund raiser calls much easier. I know better, the bad guys will still spoof caller ID knowing that it will be virtually impossible to get caught. This means my customers who want authentic social engineering phone calls won’t get the total package and won’t know their true risk.
The downside to this law is only the bad guys will be spoofing caller ID. This will also put companies like telespoof.com out of business.
The upside is that it looks like Skype will be legally obliged to transmit caller ID. This is good news for people who have purchased Skype-IN phone numbers and whish it would transmit something other than +000000
More about Skype and caller ID here: http://share.skype.com/sites/en/2007/05/caller_identification_for_skyp.html